Description of problem: Tried to configure lircd for use with mythtv using irman driver, reading input from /dev/ttyS0. SELINUX prevented. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-166.fc20.noarch selinux-policy-3.12.1-166.fc20.noarch lirc-0.9.0-21.fc20.x86_64 lirc-libs-0.9.0-21.fc20.x86_64 How reproducible: Always, Steps to Reproduce: 1. Contents of /etc/sysconfig/lircd: cat /etc/sysconfig/lirc # Note: in addition to these parameters, you need to have working -*- sh -*- # configuration file for lircd (and lircmd if enabled). # Options to lircd(8). Typically, this will be empty, as which driver to use # should be specified using the LIRC_DRIVER variable below. LIRCD_OPTIONS="" # The infrared receiver (and/or transmitter) driver to be used by lircd(8), # similar to passing "-H driver" to lircd(8). # Run "/usr/sbin/lircd -H help" to get a listing of supported drivers. #LIRC_DRIVER="default" LIRC_DRIVER="irman" # Which lirc device will be used by lircd(8). # This is the same as passing "-d device" to lircd. It must be set. LIRC_DEVICE="/dev/ttyS0" # Options to lircmd(8). lircmd always runs with --nodaemon added # to LIRCMD_OPTIONS. LIRCMD_OPTIONS="" # The infrared device used by lirc, if any. If this is set, lircd will # enable the lirc protocol and disable kernel built-in handling using # "echo lirc > /sys/class/rc/$LIRCD_IR_DEVICE/protocols" at startup. # If unset, this is ignored. # - The common case when there is just one ir device: LIRCD_IR_DEVICE="rc0". # - Non-IR devices e. g., RF ones typically don't need this set. # - If not set when required, the typical symptom is duobled key-presses. # - If installing the lirc-disable-kernel-rc subpackage this setting is not # needed. LIRCD_IR_DEVICE="" 2. systemctl start lircd 3. Actual results: contents of /var/log/audit/audit.log: type=AVC msg=audit(1401075440.018:2266): avc: denied { read write } for pid=1076 comm="lircd" name="ttyS0" dev="devtmpfs" ino=8651 scontext=system_u:system_r:lircd_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Expected results: Able to read data from ttyS0 Additional info: Following /var/log/message suggestion: cat mypol.te module mypol 1.0; require { type unlabeled_t; type tty_device_t; type lircd_t; class chr_file { write ioctl read lock open }; } #============= lircd_t ============== #!!!! This avc can be allowed using the boolean 'daemons_use_tty' allow lircd_t tty_device_t:chr_file { read write ioctl open lock }; allow lircd_t unlabeled_t:chr_file ioctl; Fixed the problem.
4002d3015d0dcb1848bee99c9a1b8928a29d50c5 fixes this in git.
selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20
Package selinux-policy-3.12.1-167.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20
Package selinux-policy-3.12.1-171.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Since the 171 policy was pushed, I attempted to test it by semodule --remove mypol where mypol.te contained: cat mypol.te module mypol 1.0; require { type unlabeled_t; type tty_device_t; type lircd_t; class chr_file { write ioctl read lock open }; } #============= lircd_t ============== #!!!! This avc can be allowed using the boolean 'daemons_use_tty' allow lircd_t tty_device_t:chr_file { read write ioctl open lock }; allow lircd_t unlabeled_t:chr_file ioctl; Then yum update where it installed 171. Rebooting, lircd failed to connect to /dev/ttyS0, the following error was in /var/log/messages: Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: accepted new client on /var/run/lirc/lircd Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: could not open /dev/ttyS0 Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: irman_init(): Permission denied Jun 26 21:32:00 whisper lircd-0.9.0[744]: accepted new client on /var/run/lirc/lircd Jun 26 21:32:00 whisper lircd-0.9.0[744]: could not open /dev/ttyS0 Jun 26 21:32:00 whisper lircd-0.9.0[744]: irman_init(): Permission denied Jun 26 21:32:00 whisper lircd-0.9.0[744]: Failed to initialize hardware Jun 26 21:32:00 whisper sh: lircd-0.9.0[744]: Failed to initialize hardware There wasn't a message about the failure in /var/log/audit/audit.log or a setroubleshoot message in messages. Reinstalled mypol.pp, reboot, and it worked correctly again.
selinux-policy-3.12.1-176.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-176.fc20
Package selinux-policy-3.12.1-176.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-176.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8029/selinux-policy-3.12.1-176.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-176.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
After upgrading to policy 176, no change. lircd still cannot access /dev/ttyS0 without the mypol file above. Jul 7 20:06:32 whisper sh: lircd-0.9.0[755]: accepted new client on /var/run/lirc/lircd Jul 7 20:06:32 whisper sh: lircd-0.9.0[755]: could not open /dev/ttyS0 Jul 7 20:06:32 whisper sh: lircd-0.9.0[755]: irman_init(): Permission denied Jul 7 20:06:32 whisper sh: lircd-0.9.0[755]: Failed to initialize hardware Jul 7 20:06:32 whisper lircd-0.9.0[755]: accepted new client on /var/run/lirc/lircd Jul 7 20:06:32 whisper lircd-0.9.0[755]: could not open /dev/ttyS0 Jul 7 20:06:32 whisper lircd-0.9.0[755]: irman_init(): Permission denied Jul 7 20:06:32 whisper lircd-0.9.0[755]: Failed to initialize hardware Once I reloaded the mypol it and reboot, it works fine. rpm -qa|grep selinux-policy selinux-policy-3.12.1-176.fc20.noarch selinux-policy-targeted-3.12.1-176.fc20.noarch
commit 2e83809e4c474d6b9b8c156c77dd70657c907c7b Author: Lukas Vrabec <lvrabec> Date: Tue Jul 8 10:23:10 2014 +0200 Allow lircd_t to use tty_device_t for use withmythtv
selinux-policy-3.12.1-177.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-177.fc20
Package selinux-policy-3.12.1-177.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-177.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8390/selinux-policy-3.12.1-177.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-177.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Policy 177 works fine now for Mythtv and lircd. Thanks